Overview

overview

10

Static

static

e3992c261a...d7.exe

windows7_x64

10

e3992c261a...d7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    96s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-04-2022 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7.exe

  • Size

    1.2MB

  • MD5

    6c1524df835f66bee7bd9d8f99b285c8

  • SHA1

    56230808d4a146ee2bbfbe3a3b0ce04e3cd415d6

  • SHA256

    e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7

  • SHA512

    977e71117500a3c9065eda7936010c9d81ca97a7823b6ab8349f56807aaa6cec01f533a388381f43672b01c1ef0df10ae6267f2ee710828a0b281a8e2b8a7a7a

Score
10/10
massloggercollectionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7.exe
    "C:\Users\Admin\AppData\Local\Temp\e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUSBHDKTT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9819.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2448
    • C:\Users\Admin\AppData\Local\Temp\e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7.exe
      "{path}"
      2⤵
        PID:4388
      • C:\Users\Admin\AppData\Local\Temp\e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:3076
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:324

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e3992c261acc5b38ca6e78c626e2952f82c7155de69f444184c321d27f4d2fd7.exe.log
      Filesize

      1KB

      MD5

      6f8f3a9a57cb30e686d3355e656031e0

      SHA1

      acccd6befb1a2f40e662280bc5182e086a0d079b

      SHA256

      283586e83b25099a5698cb9caf9c594a37060d11e0f55c81bb9c6d4f728448ea

      SHA512

      8f11d645ff4f8d5b1c45b06eb52cd45319659255306d60e80e33abfd04b9e3b1164679f11a8a23bd493e4b3f6b9841d70e553a01835eeaf6035b4d05e4fd7b54

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9819.tmp
      Filesize

      1KB

      MD5

      d8fae1789a19ef2cdcdb171b0d44d828

      SHA1

      b575276a37eee673dc986e289ee002598fa1b11f

      SHA256

      e8fa6d9d1e68264c529c3c761448731a06f8df8fb09211ef625cf24a414dcf7e

      SHA512

      2b8d43afb7516864c0f404b020ec98e0157ddb685bebc85aee2d67115e2fd283211c12d3d60f8cc73844f794c1afdbbe78238b9f66185b23d528c1092ef36728

      Download Submit

    • memory/324-154-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/324-143-0x0000000000000000-mapping.dmp

      Download

    • memory/324-156-0x0000000007C10000-0x0000000007C2A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/324-146-0x00000000059C0000-0x0000000005FE8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/324-153-0x00000000703A0000-0x00000000703EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/324-160-0x0000000007F40000-0x0000000007F5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/324-159-0x0000000007E30000-0x0000000007E3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/324-152-0x00000000078C0000-0x00000000078F2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/324-151-0x0000000005385000-0x0000000005387000-memory.dmp

      Filesize

      8KB

      Download

    • memory/324-158-0x0000000007E80000-0x0000000007F16000-memory.dmp

      Filesize

      600KB

      Download

    • memory/324-150-0x0000000006900000-0x000000000691E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/324-155-0x0000000008290000-0x000000000890A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/324-149-0x00000000061A0000-0x0000000006206000-memory.dmp

      Filesize

      408KB

      Download

    • memory/324-145-0x0000000005320000-0x0000000005356000-memory.dmp

      Filesize

      216KB

      Download

    • memory/324-161-0x0000000007F20000-0x0000000007F28000-memory.dmp

      Filesize

      32KB

      Download

    • memory/324-157-0x0000000007C70000-0x0000000007C7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/324-148-0x0000000005930000-0x0000000005952000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2448-136-0x0000000000000000-mapping.dmp

      Download

    • memory/3076-144-0x0000000006960000-0x00000000069B0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3076-142-0x00000000063E0000-0x0000000006446000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3076-140-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/3076-139-0x0000000000000000-mapping.dmp

      Download

    • memory/3076-147-0x0000000005023000-0x0000000005025000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4188-134-0x0000000009120000-0x000000000964C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4188-130-0x00000000009E0000-0x0000000000B0E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4188-133-0x0000000005650000-0x000000000565A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4188-131-0x0000000005970000-0x0000000005F14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4188-132-0x00000000054B0000-0x0000000005542000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4188-135-0x00000000099E0000-0x0000000009A7C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4388-138-0x0000000000000000-mapping.dmp

      Download